Hey All,
Just wondering if any of you have been able to setup CentOS 5.4 to authenticate against AD on a Server 2008r2 Domain Controller. I am trying to complete this particular setup however I have run into some difficulties such as not being able to lookup domain users via getent passwd.
Thanks for your input,
Dan
On Friday, February 05, 2010 12:20 PM, Dan Burkland wrote:
Hey All,
Just wondering if any of you have been able to setup CentOS 5.4 to authenticate against AD on a Server 2008r2 Domain Controller. I am trying to complete this particular setup however I have run into some difficulties such as not being able to lookup domain users via getent passwd.
Are you using winbind? What do the logs for winbind say?
I am indeed using winbind. While I am not new to CentOS I am a greenhorn when it comes to Winbind. What log is considered the main Winbind log? (perhaps /var/log/samba/winbind.log?) Also. I have posted my smb.conf on pastebin: http://centos.pastebin.com/f5b4406a7
Thanks again for your help,
Dan ________________________________________ From: centos-bounces@centos.org [centos-bounces@centos.org] On Behalf Of Christopher Chan [christopher.chan@bradbury.edu.hk] Sent: Thursday, February 04, 2010 10:30 PM To: centos@centos.org Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
On Friday, February 05, 2010 12:20 PM, Dan Burkland wrote:
Hey All,
Just wondering if any of you have been able to setup CentOS 5.4 to authenticate against AD on a Server 2008r2 Domain Controller. I am trying to complete this particular setup however I have run into some difficulties such as not being able to lookup domain users via getent passwd.
Are you using winbind? What do the logs for winbind say? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Friday, February 05, 2010 12:45 PM, Dan Burkland wrote:
I am indeed using winbind. While I am not new to CentOS I am a greenhorn when it comes to Winbind. What log is considered the main Winbind log? (perhaps /var/log/samba/winbind.log?) Also. I have posted my smb.conf on pastebin: http://centos.pastebin.com/f5b4406a7
Does either 'wbinfo -u' or 'wbinfo -g' work for you?
If they do, do you have entries in nsswitch.conf for winbind?
Hey All,
Just wondering if any of you have been able to setup CentOS 5.4 to authenticate against AD on a Server 2008r2 Domain Controller. I am trying to complete this particular setup however I have run into some difficulties such as not being able to lookup domain users via getent passwd.
Are you using winbind? What do the logs for winbind say?
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Christopher Chan Sent: Thursday, February 04, 2010 10:59 PM To: centos@centos.org Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
On Friday, February 05, 2010 12:45 PM, Dan Burkland wrote:
I am indeed using winbind. While I am not new to CentOS I am a greenhorn
when it comes to Winbind. What log is considered the main Winbind log? (perhaps /var/log/samba/winbind.log?) Also. I have posted my smb.conf on pastebin: http://centos.pastebin.com/f5b4406a7
Does either 'wbinfo -u' or 'wbinfo -g' work for you?
If they do, do you have entries in nsswitch.conf for winbind?
Hey All,
Just wondering if any of you have been able to setup CentOS 5.4 to
authenticate against AD on a Server 2008r2 Domain Controller. I am trying to complete this particular setup however I have run into some difficulties such as not being able to lookup domain users via getent passwd.
Are you using winbind? What do the logs for winbind say?
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Wbinfo -u & wbinfo -g do indeed work for me however getent passwd or getent group returns no AD users or groups. I have winbind entries in nsswitch for both the passwd & group entries. Josepeh, I will try a newer RPM from a different repository and see if that resolves my issues. Did my smb.conf look ok?
Thanks again guys,
Dan
Wbinfo -u & wbinfo -g do indeed work for me however getent passwd or getent group returns no AD users or groups. I have winbind entries in nsswitch for both the passwd & group entries. Josepeh, I will try a newer RPM from a different repository and see if that resolves my issues. Did my smb.conf look ok?
It did...which is why I asked whether wbinfo -u/g worked...
Wbinfo -u & wbinfo -g do indeed work for me however getent passwd or getent group returns no AD users or groups. I have winbind entries in nsswitch for both the passwd & >group entries. Josepeh, I will try a newer RPM from a different repository and see if that resolves my issues. Did my smb.conf look ok?
getent doesn't need to return data for this to work, just wbinfo. It's likely the issue I spoke of, aside from the winbind entries in smb.conf that allow local logon.
Take my advice: yum erase samba == uber happiness
Get ldap working, no interop issues with the old samba version in rhel and newer ms servers. Plus you will be using something forward compatible that a txt edit could likely fix in the event something drastic changed in the schema and search filters for example had to change.
On Fri, Feb 5, 2010 at 6:25 PM, Joseph L. Casale jcasale@activenetwerx.com wrote:
Wbinfo -u & wbinfo -g do indeed work for me however getent passwd or getent group returns no AD users or groups. I have winbind entries in nsswitch for both the passwd & >group entries. Josepeh, I will try a newer RPM from a different repository and see if that resolves my issues. Did my smb.conf look ok?
getent doesn't need to return data for this to work, just wbinfo. It's likely the issue I spoke of, aside from the winbind entries in smb.conf that allow local logon.
Take my advice: yum erase samba == uber happiness
Get ldap working, no interop issues with the old samba version in rhel and newer ms servers. Plus you will be using something forward compatible that a txt edit could likely fix in the event something drastic changed in the schema and search filters for example had to change.
+1
We've been using nss_ldap against AD for years. It's never a problem.
Jeff
________________________________________ From: centos-bounces@centos.org [centos-bounces@centos.org] On Behalf Of Jeff [jlar310@gmail.com] Sent: Sunday, February 07, 2010 9:20 AM To: CentOS mailing list Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
On Fri, Feb 5, 2010 at 6:25 PM, Joseph L. Casale jcasale@activenetwerx.com wrote:
Wbinfo -u & wbinfo -g do indeed work for me however getent passwd or getent group returns no AD users or groups. I have winbind entries in nsswitch for both the passwd & >group entries. Josepeh, I will try a newer RPM from a different repository and see if that resolves my issues. Did my smb.conf look ok?
getent doesn't need to return data for this to work, just wbinfo. It's likely the issue I spoke of, aside from the winbind entries in smb.conf that allow local logon.
Take my advice: yum erase samba == uber happiness
Get ldap working, no interop issues with the old samba version in rhel and newer ms servers. Plus you will be using something forward compatible that a txt edit could likely fix in the event something drastic changed in the schema and search filters for example had to change.
+1
We've been using nss_ldap against AD for years. It's never a problem.
Jeff _______________________________________________
Version 3.4.5 of Samba did end up resolving the issue I was having and now AD users can login to the box. I am however interested in going the LDAP route mainly for the forward compatability reason stated by Jeff. Is there anything special I need to do on the DC for the LDAP authentication to work?
Thanks,
Dan
Take my advice: yum erase samba == uber happiness
Get ldap working, no interop issues with the old samba version in rhel and newer ms servers. Plus you will be using something forward compatible that a txt edit could likely fix in the event something drastic changed in the schema and search filters for example had to change.
+1
We've been using nss_ldap against AD for years. It's never a problem.
Jeff _______________________________________________
Version 3.4.5 of Samba did end up resolving the issue I was having and now AD users can login to the box. I am however interested in going the LDAP route mainly for the forward compatability reason stated by Jeff. Is there anything special I need to do on the DC for the LDAP authentication to work?
Do we lose kerberos security if one switches from samba + winbind to ldap?
On Sun, Feb 7, 2010 at 8:29 PM, Christopher Chan christopher.chan@bradbury.edu.hk wrote:
Take my advice: yum erase samba == uber happiness
Get ldap working, no interop issues with the old samba version in rhel and newer ms servers. Plus you will be using something forward compatible that a txt edit could likely fix in the event something drastic changed in the schema and search filters for example had to change.
+1
We've been using nss_ldap against AD for years. It's never a problem.
Version 3.4.5 of Samba did end up resolving the issue I was having and now AD users can login to the box. I am however interested in going the LDAP route mainly for the forward compatability reason stated by Jeff. Is there anything special I need to do on the DC for the LDAP authentication to work?
Do we lose kerberos security if one switches from samba + winbind to ldap?
No, but you'll have to generate UIDs and GIDs for all AD users and groups....
That is the one thing that has stopped me from using AD LDAP for user/group management.
You could use winbind to create a NIS map (sans passwords) and have Linux/Mac clients authenticate with NIS+Kerberos.
That RID map feature of samba is great.
-Ross
On Tue, Feb 9, 2010 at 3:23 PM, Joseph L. Casale jcasale@activenetwerx.com wrote:
That RID map feature of samba is great.
Forgot about that, AFAIK, you can do that w/ SFU & pam mods.
I have two Samba servers left that I want to get rid of:)
You can do it with SFU, but SFU doesn't create UID/GIDs for existing users, you have to do those manually.
Then there is the whole issue of maintaining those IDs over a long period of time.
Also with RID mapping I can map different domains into different ID ranges.
100000 - 199999 first domain 200000 - 299999 second domain
And so on.
You know you don't need the full Samba install to setup a winbind->NIS server, just the Samba client will do.
Then have your Linux boxes using NIS+Kerberos and only 1-2 boxes needs have a smb.conf and winbind running.
NIS is only as secure as the network it runs on. If it bumps against public networks (unsecure wifi so on) use 802.11 authentication.
-Ross
From: centos-bounces@centos.org [centos-bounces@centos.org] On Behalf Of Ross Walker [rswwalker@gmail.com] Sent: Tuesday, February 09, 2010 4:08 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
On Tue, Feb 9, 2010 at 3:23 PM, Joseph L. Casale jcasale@activenetwerx.com wrote:
That RID map feature of samba is great.
Forgot about that, AFAIK, you can do that w/ SFU & pam mods.
I have two Samba servers left that I want to get rid of:)
You can do it with SFU, but SFU doesn't create UID/GIDs for existing users, you have to do those manually.
Then there is the whole issue of maintaining those IDs over a long period of time.
Also with RID mapping I can map different domains into different ID ranges.
100000 - 199999 first domain 200000 - 299999 second domain
And so on.
You know you don't need the full Samba install to setup a winbind->NIS server, just the Samba client will do.
Then have your Linux boxes using NIS+Kerberos and only 1-2 boxes needs have a smb.conf and winbind running.
NIS is only as secure as the network it runs on. If it bumps against public networks (unsecure wifi so on) use 802.11 authentication.
-Ross _______________________________________________
For anybody wanting to know how to go the LDAP Route I found an interesting article in the linux.com archives http://www.linux.com/archive/feed/40983
Thanks again guys for your input.
Dan
On Feb 9, 2010, at 6:27 PM, Dan Burkland dburklan@NMDP.ORG wrote:
From: centos-bounces@centos.org [centos-bounces@centos.org] On Behalf Of Ross Walker [rswwalker@gmail.com] Sent: Tuesday, February 09, 2010 4:08 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS 5.4 x86_64 authenticating against AD (Server 2008r2)
On Tue, Feb 9, 2010 at 3:23 PM, Joseph L. Casale jcasale@activenetwerx.com wrote:
That RID map feature of samba is great.
Forgot about that, AFAIK, you can do that w/ SFU & pam mods.
I have two Samba servers left that I want to get rid of:)
You can do it with SFU, but SFU doesn't create UID/GIDs for existing users, you have to do those manually.
Then there is the whole issue of maintaining those IDs over a long period of time.
Also with RID mapping I can map different domains into different ID ranges.
100000 - 199999 first domain 200000 - 299999 second domain
And so on.
You know you don't need the full Samba install to setup a winbind->NIS server, just the Samba client will do.
Then have your Linux boxes using NIS+Kerberos and only 1-2 boxes needs have a smb.conf and winbind running.
NIS is only as secure as the network it runs on. If it bumps against public networks (unsecure wifi so on) use 802.11 authentication.
-Ross _______________________________________________
For anybody wanting to know how to go the LDAP Route I found an interesting article in the linux.com archives http://www.linux.com/archive/feed/40983
Thanks again guys for your input.
If it works for you great.
If you have hundreds or thousands of users and hundreds of groups, well good luck. It is extremely hard to automate assigning these uids/ gids and making sure they don't collide with each other or other unix systems and doing it by hand is a torture reserved for the ninth circle of hell.
If only nss_ldap had a SID->UID/GID mapping like samba has.
-Ross
If you have hundreds or thousands of users and hundreds of groups, well good luck. It is extremely hard to automate assigning these uids/ gids and making sure they don't collide with each other or other unix systems and doing it by hand is a torture reserved for the ninth circle of hell.
If only nss_ldap had a SID->UID/GID mapping like samba has.
How about winbind with a ldap backend? winbind creates the uids/gids and the rest just run nss_ldap?
I currently use an ldap directory to store the rids but I don't remember if they have been translated to uids/gids or whether the winbind modules do that...
On Feb 10, 2010, at 8:11 AM, Chan Chung Hang Christopher <christopher.chan@bradbury.edu.hk
wrote:
If you have hundreds or thousands of users and hundreds of groups, well good luck. It is extremely hard to automate assigning these uids/ gids and making sure they don't collide with each other or other unix systems and doing it by hand is a torture reserved for the ninth circle of hell.
If only nss_ldap had a SID->UID/GID mapping like samba has.
How about winbind with a ldap backend? winbind creates the uids/gids and the rest just run nss_ldap?
I currently use an ldap directory to store the rids but I don't remember if they have been translated to uids/gids or whether the winbind modules do that...
I don't know either, but if they do, that would work.
Can samba update uid/gidNumbers of existing LDAP directory CNs?
I still like the RID mapping, but if samba can write back uidNumbers based on RID map generated uids that would solve the problem.
-Ross
On Wed, 2010-02-10 at 09:50 -0500, Ross Walker wrote:
On Feb 10, 2010, at 8:11 AM, Chan Chung Hang Christopher <christopher.chan@bradbury.edu.hk
wrote:
If you have hundreds or thousands of users and hundreds of groups, well good luck. It is extremely hard to automate assigning these uids/ gids and making sure they don't collide with each other or other unix systems and doing it by hand is a torture reserved for the ninth circle of hell.
If only nss_ldap had a SID->UID/GID mapping like samba has.
How about winbind with a ldap backend? winbind creates the uids/gids and the rest just run nss_ldap?
I currently use an ldap directory to store the rids but I don't remember if they have been translated to uids/gids or whether the winbind modules do that...
I don't know either, but if they do, that would work.
Can samba update uid/gidNumbers of existing LDAP directory CNs?
I still like the RID mapping, but if samba can write back uidNumbers based on RID map generated uids that would solve the problem.
---- In essence, samba knows nothing about writing anything to LDAP but normally people would install smbldap-tools (not part of samba) to provide a toolset to write to LDAP.
If smbldap-tools doesn't do what you want, modify it.
Craig
Craig White wrote:
On Wed, 2010-02-10 at 09:50 -0500, Ross Walker wrote:
On Feb 10, 2010, at 8:11 AM, Chan Chung Hang Christopher <christopher.chan@bradbury.edu.hk
wrote:
If you have hundreds or thousands of users and hundreds of groups, well good luck. It is extremely hard to automate assigning these uids/ gids and making sure they don't collide with each other or other unix systems and doing it by hand is a torture reserved for the ninth circle of hell.
If only nss_ldap had a SID->UID/GID mapping like samba has.
How about winbind with a ldap backend? winbind creates the uids/gids and the rest just run nss_ldap?
I currently use an ldap directory to store the rids but I don't remember if they have been translated to uids/gids or whether the winbind modules do that...
I don't know either, but if they do, that would work.
Can samba update uid/gidNumbers of existing LDAP directory CNs?
I still like the RID mapping, but if samba can write back uidNumbers based on RID map generated uids that would solve the problem.
In essence, samba knows nothing about writing anything to LDAP but normally people would install smbldap-tools (not part of samba) to provide a toolset to write to LDAP.
Impossible. winbind certainly knows all about writing to LDAP otherwise it won't be a backend database for rid maps and especially for maintaining the same rids across boxes (okay, this got solved at a higher level and thus an ldap backend is not needed for maintaining identical rids across boxes) and I cannot imagine how that would be accomplished without knowing anything about writing to ldap.
If smbldap-tools doesn't do what you want, modify it.
??? What's that? ???
Am Freitag, den 05.02.2010, 14:38 +0100 schrieb Dan Burkland:
Wbinfo -u & wbinfo -g do indeed work for me however getent passwd or getent group returns no AD users or groups. I have winbind entries in nsswitch for both the passwd & group entries. Josepeh, I will try a newer RPM from a different repository and see if that resolves my issues. Did my smb.conf look ok?
Thanks again guys,
Dan
Why don't you try the way i proposed it automatically sets up smb.conf, krb5.conf, pam and nss correctly. And its the way the upstream vendor itended to use.
Chris
financial.com AG
Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553
Am Freitag, den 05.02.2010, 05:20 +0100 schrieb Dan Burkland:
Hey All,
Just wondering if any of you have been able to setup CentOS 5.4 to authenticate against AD on a Server 2008r2 Domain Controller. I am trying to complete this particular setup however I have run into some difficulties such as not being able to lookup domain users via getent passwd.
Thanks for your input,
Dan
You can find a documentation how to do that here: http://wiki.centos.org/TipsAndTricks/WinbindADS
Chris
financial.com AG
Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553
Just wondering if any of you have been able to setup CentOS 5.4 to authenticate against AD on a Server 2008r2 Domain Controller. I am trying to complete this particular setup however I have run into some difficulties such as not being able to lookup domain users via getent passwd.
W2k8r2 introduced some changes over w2k3 that make the need for a newer Samba a must iirc when I did this. Otherwise you can lower the security requirements on the w2k8r2 server.
FWIW, I don't like Samba and would suggest using ldap:)
-
Chan Chung Hang Christopher -
Christoph Maser -
Christopher Chan
-
Craig White -
Dan Burkland -
Jeff -
Joseph L. Casale -
Ross Walker